Insights

We are on a mission to change standard thinking.

You do not choose when you are hacked – ISO 27001

Mar 20, 2013 |

Posted by Eoin Hamilton

Why ISO 27001 prevention is better than a hacking cure

South Korean banks and TV stations were victims of a previously unknown hacking group who have identified themselves as “Whois Team”. This attack happened during Wednesday local Korean time. The attack has resulted in the Korean army raising its own state of readiness in response and even one of the banks affected has lost 1% of its share value overnight. This starkly highlights the need for prevention in the form of ISO 27001 Information Security Management Systems because you do not choose when you are hacked.

This represents the latest in a long line of attacks from hackers, some attributing the blame towards a group of 3,000 North Korean soldiers who make up the Pyongyang cyber warfare unit. Regardless of the attacks source, a hacking attack is best planned for and prevented, than fixed after the fact. Information Security Management Systems that make up part of the ISO 27001 standard are recognised as best practise world wide.

In this instance hackers gained access to the secure systems of KBS, MBC and YTN, three of the main broadcasters in South Korea as well as Shinhan Bank and NongHyup Bank. Computer screens were said to show Skulls and a message explaining that this was only the start of the “Whois Team’s” campaign.

This is particularly worrying for the Banks involved, as according to a survey carried out by Data Security business BotRevolt last year, 40% of all hacking attempts are made with stolen data or personal information.

When Burger King’s twitter account was hacked earlier this year and a malicious message staying that they had been sold to arch-rivals McDonald’s the cause was seen as the loss of personal information when Twitter was hacked in February of this year. The systems that ISO 27001 espouse and require to be put in place protect client’s, customer and employee information. By managing risks to information security effectively the businesses brand is protected.

This 1% loss of share price to the bank represents not only a loss of cold hard cash but also reputation. South Korea’s capital Seoul is largely a cashless society with many users choosing to pay with credit or debit cards. This attack had rendered all non-cash forms of payment impossible if the consumer or the business was customer of any of the banks affected. To make matters worse ATM’s were struck as part of the sophisticated attack which will have taken between one and six months to organise according to Kwon Seok-chul, chief executive officer of Seoul-based cyber security firm Cuvepia Inc.

The real cost to the businesses could run to millions and millions of Euro and the entire investigation will take months according to Lim Jong-in, the dean of Korea University’s Graduate School of Information Security.